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FROGRAMMABIE UOGIC DEVXCB WTIK 
METHOD OF PREVENTING READBACK 

PIELDOPTHE INVENTION 
5 The invendtm rdates to FtDs, more parficulazfy to proCectton (rf desi^ 

loaded into a PLD through o bitstieam. 

gACKgRPMPqfTTO INVENTTON 

A HiD QprogcBnunable log;k devke) Is an integrated circuit strachire that 

10 perfonns digital logic functions selected by a designer. PU^lndadefoglc 
bilockd and interconnect lines and typically both ^e logic Uodu and 
JntcnxmnBctfonaareprogrttrnmable. One common type of E^ia an FPGA 
(Md pro^Kunmeble lo^c deviceX in which the logic blocks QrpicaUy indudo 
lookup tables and flip ftops, and can typically generate and store any ftinction 

15 of their inpatsignala. Another type is flie CPLD (complex pfogcamaiabte lo^ 
device) in which the logic blocks perfonn the AND ftincdon and die OH 
ftindum ond tfte seloctian of it^ut signab is progianunable. 

ft-oblem with storing bitstream external to PI JP 
20 Designs ixRpleinmtedinFIX)shBvebeeoxiwconiple3g and h 

monihs to coniplete and dd»ag a design to be lanpletncnted in a PLD. When 
the desigi\ is going into a system of which the PLD is a part and is to be sold for 
profit the designer does not want the result of dus design effort to be copied 
by someone else. The designer often wonts to keep the design a trade secret 
2S MianyPlJD3,paTticulailyPPGAs^ use volatile configuration memory that 
be loaded ftom an external device sudt as a PKOM every time tlw FLD is 
powered up. Since oanflguxatlon data is stored external to ftte FID and xnust 
be transmitted thjto^gh « oonfi.giiration access port, the privacy of the design 
can easily be violated by an attacker who monitors tive data on the 
30 configuration access port e.g. by putting probes on board traces. 
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Efforts have been made to enoTpt de6i3;n», but it b difficult to make the 
design both secure from attackers and cosy to use by legltiDiBte usees. The 
encryptton algorithm is not a pxobiezn. Sex'etal encryption algozittum, for 

9 example, die starukrd Data Encryption Standard (DBS) and the mare secure 
Advanced Encryption Standard (AES) a}gontiiDv are known for encrypting 
blocks oldato. The process of dphcrblockdiaining<CBC)/ in which <m 
unencrypted data word is XORed with tho next encrypted data word before 
decryption allows the DES or AiES to encrypt o serial stream of dAta and these 

10 are therdbre appropriate for encrypting a bitstream for configuring a PLD. A 
key used for encrypting the de^gn must somehow be communicated in a 
sscurs way between the FLD and the structure ^at decrypts the design, so the 
design can be decrypted by ^ PID before being used (o configure fhe PLD. 
Then, once the PLD has been configured using the unencrypted design, the 

15 design must ooiitinuo to be protcct<»ilroinunattttiorl«ddi80ovoi}r. 

A Noveotber 24, 1997 publication by Beter Alfke of XUinx, Zna entitled 
"Coitfiguration Issues; Power-up, Volatility, Security, Battoy Backiy" 
describes several steps fhatconbe taken to protect a design in an existing 
FPG A device having no particular architoctmal feamves v^thin the FFG A to 

» protect the design, leading design oonfig^retion data toto the 

removing the source of fheconAguration data but ueiiig a battery to maintain 
continuous power to the FPGA while holding the VPGA in a standby nonr 
operational mode Is one method. However, power requirements on the battery 
make this method impractical for lafgo FFGA deorices. 

35 Nonvolatile configucation memory is another posslbiBty. If tite design is 

loaded at the &ctory befom Ote device is sold, it is difficidt for a puidiaser of 
live (x>nfiiguj«d PC^ device to determine what tin desa^gn is. However, a 
reverse engineering process In which the progranuned device is dec^iped, 
metal layers arc removed^ and the nonvolatile memory cells are chemically 

30 treated can expose whidi memory cells have been charged and thus can aOow 
an attacker to leam the detfgn. Purther, ncoivolafile memory requires a more 
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aaatpUix and more expenrivc process technc^ogy than standard CMOS process 
teduology^ and takes longer to being to market 

ft is also known to store a dooyption key in nonvolatile memory in a 
PUD, toad an enayp ted bltstream into the FLD arul decrypt ti« WtBtreom 
5 the key within the PLD. This prevents an attacker from reading the bitstteam 
as it bbeing loaded into the TID, and does retain the key when power is 
lemoved&omthenD. SuchanarrangiementisdescEibedbyAuBtininUJS. 
Fbtent 5,388457. But this structure does not protect the user's design from oU 
modes of attadc 

10 In addition to design protection, some users need data protection. They 

iDay have generated data within the FID that stiould not be lost when the FLD 
loses power, ftisdcsirahic to protect such data. 

There remains 0 need for a design protection nnethod that is convenient^ 
reliftble, and socuce. 

IS 

SUmfARY QP THE INVBNIIC«Sr 

Tho invention provides several structures and mjethods for protecting a 

VtX) from unauthorized use and data loss. 

U the FU> is oonflguied by static Ri^ memory that must be loaded on 
20 power-up/ the oonfigurafion data must be protected as tt Is being loaded into 

thedevioe. Asintfaepriorartthisisaocoo^Iishedby cnayptLRgtfas 

configuration data tor storing it in a memory outside the Integrated drcuit 

device, loading one or more decryption keys into tlie FID and maintaining the 

keys in the PID when powered down, induding a decryption circuit within the 
25 PLD that uses the key to decrypt the configuration dat^^, generating decrypted 

configuration data wi(thiRlhe FLD and ooafiguring Oie FLD using the 

decrypted configuration data. 

For additional security, rather than using nonvolatile memory to preserve 

keys, the invention preXer^Iy uses a battery connected to ^ FID to preserve 
30 thekey when power is removed from the FLD. Whereas it is possible to 

remove a FI^ storing keys in noim)Utile memory, decap difi FUD and observe 
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whidt of th« nonvolatile biis ace pro^wmned to logic 1 and which are 
piograxnm«d to logic 0, it is believed that it is vecy difficult to detanzilne the 
contents of keya stored only in static memory cefifi GiRce power must be 
n>aintained to the memory colls storing the keys in order for the keys to even 
5 be Stored^ and the would have (o be decappcd«de)ayered, and probed 
while operating power la continuous to the PLD, ' 

y yays.ffl.Qttacker c ap , steal a d ^g ^\. ori f^ Ip ad ed.into a PtD 

If a key does not offer auffldent security, an attacker may breajc the 

10 'encryption code and determine the value of the key. The w^l-known Data 
Encryption Standard DBS used a 56^t encryption key, and has been broken in 
a few hours by a sophisticated oomputer to reveal the key. DESisdesofbedby 
Bruce Sdhneier in "Applied Cryptography Second Edition: protocols/ ' 
olgoxithnu, aiv3 source code in C copyright 1996 by Bruce Sdmeier, publl^ed 

15 by John WUey & Sons, lite, «t pagea 265-27S. If It ta deaijabk to use sudt a well 
known encryption standard, then in order to increase security, the 
conftgu ration data may be encrypted several tistes using different keys each 
time, thus strengthening the encryption code by about 2* each time the 
encryption is repeated Or it may be encrypted using a first key, decrypted 

20 using a second key, and encrypted uang a third key, a comlnnation that is part 
of the triple USS standard. Other encryption algorithms may also be used, and 
it Is not necessary to keep the algorithm secret sinoo Ihe security resides in the 
key. When the encryption method is symmetrica), the same keys i»ed for 
encryption are stored In the PLD and used In reverse order fox decryption. 

ts In a PLD offering multiple keys, ii the number of k^s to be used and the 

addresses of all keys were jnrovided in an unencrypted bifstream, an attadcer 
might be able io attack the keys one at a time and more easily determine the 
key values. To avoid sudt attack, additional security adttieved by storing 
witi\in the keys, not the bJtstream, an indication of bxnv many keys are to be 

iO used and whether a key is the last key of a set or whether more are to follow. 
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If the FLD oiiien the option of reading bade tiie httstream 
loaded into the FU>,fixkOther Bifithod fhftt can 
bade thlB bitatream. To avoid titls method of cttacldng the deagn, in one 
embodiment a FLD that otters teadback and also odkcB enaryptioii includes 

5 theai^iUty todiaablcthereadbackfeatui«v^t^encTypti<^ In 
anoto embodnnent the FLD that oHea the obifiiy to read back encrypts the 
configuratloji data before it is read bacjc. 

Additionaliy, some FLDa ofXer tihe option of partial oonfigtiration (where 
several configuration addresses are 6ped£ed lor loading several portion? of a 

10 design) and partial reconfiguration (where an existing deaign ie not erased 
before new design data ore loaded). If ti^ PLD offers these options, an attacker 
could partiaQy reconfigure a FID to make successive portions of the design 
vieibte, and probably Jeam the whole design. To avoid such an at(ad;,.lR one 
eonbodiment partial oonfiguiation and reconfiguration of IfLDa loaded vtiiSx 

IS enctypteddetdgnsaredisaUowed. 2n another embodiBocntaeveral 

configuration addresses can be ^edfied^ but the addresses are encrypted. 

Yet another mode of attadt is to try to flip a bit that indicates the security 
status of the PLD. Lowering or raising fi\c operating voltage^ changing the 
fen^ctature^ and applymg noise to certain ports come to mind. To protect 

20 against su<j\blt-fUpplng, when die FLD JsopGcating with ft secured bltstieant/ 
a secure-mode flag is set/ and in ene embodiroene, if Ihis flag beooo^ 
configuration data Is erased. In another embodiment that doesnt allof^ for 
reconfiguration while die device is s^ operating, the configuration data la 
erased before any bitstream is sent 

33 Anoliier mode of attack is tx> relocate portions of the encrypted bitstream 

90 that when dii^ are vnenoypted they are pUoed mto visible portions ^ 
FLD not intended by the designer. To prevent this reIdcation# address 
infoonatlon is used in fhe encryption and decryption processes BO ^t seridQng 
a portion of an encrypted bitstream to a different HJD looati^ from ^t 

K) intended by the deaigiter vrill cause it to decrypt ttifferendy into data wUh no 
meaning. 0|te blodk diainlng (CBQ is one elective tneans of achteving Uils 

s 
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result. In dpher block dbainingp, the deoypted data padoet (bloctOls condbinad 
vavR$ the XOR function with (he next data block befoie fh« next block id 
decrypted^ thus the encrypted data for each data blodc depends on ev^ block 
that preceded It and on 6xe order of those blocks. Identica} blocks of data will 

9 encrypt to different values dcpendmg; on the value of the data blodcs that 
prooedod them. This way, if the order of the bbcka ie changed, the bltstream 
will not decryptoorreclly because the pUce where flic encrypted bitstream is 
zcannmged will ecniznble subsequent data. Furtfan, the initial CBC vahie can 
be snodlHcd to incorporate the address of the data to force the decrypted data 

10 to be jHaccd at a specific location in ordei to decrypt correctly. 

Altcnurtively, ii the PIX> aliowed port of 0 design to be encrypted and 
part to be unenccyptcdr the attacker could add an unencrypted portion to the 
encrypted portkm that would read out inAnrmation about the cnaypted 
portion of iho design. Thus, additional security is achieved by pemiitting the 

1$ design to bo totally encrypted or totally unencrypted, but not to I>e mixed. 
Furth^* to this» in one emibodtTncnt, when ^ta are being encrypted, addittonel 
security is provided by allowing only b single hill-chip configuration foUowbag 
a single starting address for &c configuration data. 

Further, in order to allow convenient testing and debugging and to allow 

20 the FID manu£Etcturer to Gommunicate freely with its customers (the designers 
who produce tiie designs for oonfiguzing the FID), tfieFCD has both encrypted 
and unencrypted modes of operating, and wtien opecating in the encrypted 
n\ode, parts of the configuration l^tslreon that control loading of die 
configuration data into ^ FLD are still not encrypted. 

25 As another mode of attack, if the FLD manufactxuer gives information 

freely about the canfigucaHon bitstream format, Induding header fnfi»ination 
end addresses for loading configuiation data, and gives Information about (he 
encryption meftod used, encrypting this well known information would 
expose the encryption key to possible discovery. Such expostue is avoided by 

30 encrypUng only the actual configuration data end leaving control infoiination 
unencrypted. 
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If the TlJDni4znifectumr olbws &ek^ memory to be 
and non-«ccure modes^ an etteeker oould simply learn the beys by pLadr\$ the 
key memory Into non-6eaire mode and reading out the keys. To avoid eudt 
attad;, the PLD manufacturer ixidudee a drcuit ^ai causes all keys plus any 
$ ooofigiuatum data loaded into the ni> to be exto^ 
moved to noo-acanomodo. 

BMEPDESaaFnONOP THE DRAWINGS 

ng. 1 showj functional rehdon^ps tn a ptloc axtFFGA. 
10 Hg. 2a, 2b, 2c, and 2d show bitstreamfooiiat andoonunnndsduit can be 

included in a prior art bitstieam. 

Rg. 3 shorn functional cclation^hlps in an FFGA aooording fD one 
stdx)dinfcent of tfte present (zweiUioiL 

Rg. 4a, 4b, ie, and 4d showbitatream format and oomxnanda that can be 
15 Included in a bitstream of A& present Imrention. 

Ftg. 5a and 5b show exazz^le unsBcrypted and erKcypted bitstreaxcis. 
Pig, 6 shows configuration logic 29 and the lines in bus 27 and bus 28 
leading to decryptor 24. 

Rg. 7a duyws the modified storting value ibr outer cipher blodc cfaainirig 
with triple encryptLoin used in one ooc^bodiment of lite imrcntlon. 

Rg. 7b Aows the corresponding starting value and decryption process 
used with Rg. 7a. 
' Rg. 8 shows flow of the opecations for processing a hitsteam. 

Fig. 9 shows a Btattt machine implemented by deoyptor 24 to evahiate 
25 key order. 

Rg. 10a shows ^ structure of key memory 23 of Fig. 3. 
Rg. 10b shows the structure of the memory oeUa of Rg. 10a, 
Rg. 11 shows tiie steps perfonnedby control lo^ 23a of Rg. lOa to erase 
\yey3 when made non-secxire. 
30 Rg. 12 shows in more detail the battery supply switch of Bg. 10a. . 
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Figs. 13 and 14 ehow the levd shift circuit and volta^ detection drcuH of 
the battery supply switch of Fig. 12. 

Fig. lS8how»a«tate machtne for erasing a design when a secure mode is 
exited. 

5 Kg. 16 shows a blodc diagram of elements for loading configOFafloin 

memory and reaiUng hatk oonfiguratkn, IndudJng lines disabled yfhexi 
encryption is present. 

pgrAiua;)pEsqu)TOOisl 

10 Bg. 1 shows a prior art structure for tm FPGA 10. The FPGA incKides 

programxnable logic 11/ typically comprising (1} logic blocks with lookup tabic 
oozttbinatorlal logic function generators, flip flops for storing lookup table 
outputs and other values^ and muUiplexerB aand lo^ ^es for eiAtandng ttw 
lo^c ability ol fiie programmable bgic (2) routing Unes and pxogramizuible 

19 int«roonncctjon point* for routing sigxxab around the FPGA, and (3) 
input/ output t^ocks for driving signals between the routing lines end the 
external pins of the FPGA. 

The FFGA also indudes conligunition memory 12 for himing on routing 
trandstors^ controlling multiplesters, stooing lookup tables and oonttoUing tiie 

20 input/oulputblodcs/ all of thia for the purpose of configuring the FPGA to 
perfomci the fuiKllon de^ed by the designer(s). Bus 16 connects cxmfiguration 
memory 12 to programmable logic 11 and Is typically a distributed set of 
control lines located throughout the FFGA. Some XUinx products (e.g. XC6200} 
have included a bus 17 by whidi programmable logic 11 causes configurataor* 

3$ logic 14 to send programming inffwmation to configuration memory 12. Such a 

structure is described by Kean In VS. 5,705,938. 

FPGA 10 further indudes a JTAG logic blodc 13 for intetfodng with JTAG 

port 230, especially intended for testing of the board In whSdt the FFGA will be 

placed fTAG logic block 13 implements the lEEB standard 1532, which is a 
30 superset of the IEEE standard 1149.1 . JTAG allows dcbugg^ of a design at 

thfi board levd. 
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RnoUy FFGA 10 indudcs canfiguratton logic 14 lor tespondin^ to a 
configuration bltstream from exteccutl source 19 on. configuration aoaess port 
21and for interfodng with JTTAG logic Wock 13. The bitstream on configuration 
access port 21 i$ trea^ as words, in one embodiment SZ-Hi words. Several of 
5 the words, usueUy at or twar the beginning of the bitstream, ore used for 
fictting up the ooniigueation process and indiide, for example^ length of a 
configuration mconory'&amB^ and starting addzesa for the configaratum data. 
Bits 19 allows communicattaR between configuradnn logic 14 and }TAG logic 
block IS so that dvc JTAG port con be used as another configuratioa access pott 

10 Bus 18 alk)ws communication between configuration logic block Hand 
configuration memory 12. In particular, Scarries addresses to sdect 
oon6guration frames in memory 12, control signals to perform write and read 
operations, end data for loading into oortl^guratlon memory 12 or reading hacic 
6KKn configuntioa memory 12> 

11 Con$guxatiOA logic block U recelveg tnatmctlons and data, and 
processes the data according to the instructions. These Instructions come Into 
configuration logic 14 as a bitstream. An instruction^ oc header, is usually 
followed by data to be acted upon. Fig. 2a shows an example bitstream 
structore. Haxdes A ^pedfies an actirni and specifies (hat a single word. Data 

20 A, wiU follow. Headers Specifies an action and in dtls case Specifies that 4 
words ol data will follow to be acted upon. 

Rg. 2b shows die defoult format (fotmaft type 001) for a S2*blt header 
word in the bitstxtmm used in the Vtrtex{R) deuces available irom XOinx^ Inc 
(Virtex is a registered trademark of XiUnx, Inc., assignee of the present 

25 inventtorO' This fonnat indudes three bits to indicate the format type (001), 
two Uts to specify an op code, 16 bits for a configuration logic register address^ 
and 11 bits for a word count The op code can designate a read operaticK^ a 
write operation or no operation. For exao^, 00 can designate no operation , 
01 can desi^te read and 10 can dftSigRate write. Thft 11 bits for word oonnt 

30 can qredfy:^ words or 2048 words. As shown in Fig.2(v if the word count is 
greater than this, the word fx>unt bits in format type 001 are set to 00000000000 
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and fhe header of forawt type 001 is toUowed by a header of fbnnat type 2. 
Fomuif type 2 uses 27 bits to specify word count, and can tbntB spedfy ^ words 
or 2.66 million words. 

Fig. 2d shows the kinds o^ control information that can be loaded ixxto the 
rcgiaters of Cortfiguratlon Logic 14 by headers for a Virtsxbitstnaixu For 
exam^e/ a header (of foraat 001) having ttte configuration logpc ngjster 
address 0000 specifies Bnat the next 32'blt data word should be loaded into the 
cyclic redundancy dicck (CRQ register. (Virtex devices use a 16-bit cydic 
redundancy check value so some bits will be padded with O's.) If the header 
inchides an addixsss 0001. 6tt next data will be loaded into the Frame Address 
register in order to specify a frame (cohunn) in oonfiguration memory 12 to 
receive or provide data. 

The GonBguration Logic Register addreia 06 hUs) shown in Hg. 2b 
provides the 4-bit values shown in the left column of Rg. 2d that select one of 
Qie register? iii oonflguialian lo^c 1ft (Fig. 1) into whidi to piace flie next 324>it 
data word- The Frame Length register (address 1011) qiedfies the length of the 
frame into which tl^e configuiation data will be loaded. (Frame length, or 
cohimn height; depends upon fee sins of the PLD. Laiger PLDs usually hove 
taller columns or longer frames. Specifying the frame length in tiiebitstrcam 
and storing the frame lengdi in a register rather than piovicBng a different 
stnictuxe in the PLD for i^dng the data words into frames allows the Internal 
conBguration logic to be identical for PI..Ds of different sizes.) 

For readback^ a read command is placed in the op code field and the 
I^rame Data Output register is addressed, followed by a Word Count (using 
Oonuriand Header Format 2 if necessary). Ihe spedfied number of words is 
read back from configuration memory 12, starling at the address spedfled in 
the Frame Address register, and shifted out on either configuration access port 
21 or JTAGport20. (Readback data is returned Co the port 6iat issued &e 
readback instruction) . 

Specifying a word count in a bitstream header or pair of headers (Figs. 2b 
and 2c) sets a counter that counts down as the data words are loaded. For 

to 
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mmy coniiguration lo^c register addresses the word count is 1 . 0ut if the 
bltstream header has a oonSgiuratLon logic address of 0010 or 0011 to indicate 
configuration data ere being loaded in or read back, the word count will be 
much larger. This is when header fonnat 2 of Hg. 2c is used, l^ta loaded mto 

S oonfigiuretion memory 12 daimgh ^ tsajM data input register (address 0010} 
or read out through the frame data output cegitoter (address 0011) is called the 
design data becatuse it causes the ITCA to ixnj^ennent a design or flhows the . 
statm of a design. The otiier register data are control data since they control 
how the configuration logic behaves while the log^c is bdng conHgured or read 

10 back. 

Further detail about conBguration of Virtex devices can be found in the 
'^irtex ConfigUKktion Guide* published October 9, 2000 bjr XUinx, Inc. 
(assignee of the present invention), 2100 Logic Drive, San ]ose/ CA 95124. 

Cortfigumtlon logic 14 typically pcrfonns a cydic redundancy dteck on a 

\S configuration bitstream coming in (see BricJcBon, VS. Patent 5/321^04 or see 
pages 39 through 40 of the above referenced Virtex Configuration Guide), 
reads header bits mdicating the frame length of the part being configured and 
the word count of the oonfigUFfttion data, reads address instrudjons identifying 
where to load configuration data, ccdlects frames of configuration data and 

20 loads them into columns of configuration memory 12 indicated In the 

addresses. Configuration logk 14 also contrdsiewlbadc of configuzatlon data 
and fijp Qop values from configuration memory 12 to an external location. In a 
Virtex PFGA available ftom Xilinx, Inc., readback can be done through either 
yTAG par 1 20 or through configuration access port 21. 

35 Config:uration log;ic 14 can also rconve ocsi^uration data from 

prograimnabletogicll. >(fc>coiri6oanatlon about prior art FPGA structures in 
which part of Ote FPGA configures anotbee pact of the IFG^ can be fouxid in 
Kean, US, Patent 5,703^938. More Information about ardiitoctures of FPGAs 
similar to the Virtex ardiitecture can be found in Young ct oL, VB. Patent 

30 5,9l4Mt' the forznat of a hitstream used with the ViKtsx product available 
from }alinx, Cnc^ assignee of titepiesent Inventfocv Is described in on 

Jl 
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Application Note, XAPP138, entitled *TirtexFPGA Scries ConJSgumtlon and 
Readback*' available from XUbiK, Inc;, ZlOO Logie Dtive> San lose;, CA 95124 
published Oct ^2000. 

S PLDwithPogyption 

Hg. 3 shows a block diagram of an FPGA (a typo of PLD) aocoiding to 
one embofUment of the pte^itt invention. Some dements are the same as 
shown in Hg. 3, axe given the sane ECfGrnice RuotbeiSi and not ex^ 
again. In addition, Rg. 3 includes an expanded configuration lo0c unit 79, a 

LO dccryptor24andake)rmeiXK>ry 23. Flg.3siu>w8onexxibodimcntb 
memory 23 is loaded on biu 25 from JTAG access port 2D. Inolher 
embodiments, key memory 23 is loaded through another port Bub 25 carries 
data, addresses, and oontrol signals to perform wxite and read operations and 
anowsprograinmingof ^decryption keys fixnAjTAC port 20l Inonc 

15 cml>odlment; faw 26 allows pzogramntog of Qwk^ from ttw configuration 
port. In another embodiment, bus 26 is eliminated. In yet another 
embcdijfftsnt,bus 26 ie pre&cnt and bus 25 if elimiiuited. In an embodiment 
described further herein, bus 26 carries security data from key xx^mozy 23 to 
configuration logic 29. Zn one embodiment bus 27 carries encrypted 

20 configuration data froov configuration logic 29 to deoeyptor 24 and carries 
decrypted configuration data bade to oonfiguratlon logic 29. Bus 26 a&ows 
dccryptor 24 to zmxms the keys for decrypting data. When tlie structure of Fig. 
3 is being loaded with encrypted datii, an attadcer who monitors the bitstream 
as it is being loaded receives only ilie encrypted bitstream and can Aot learn dte 

29 user's design by Oais method. 

PartjaUy Encrypted Bitstream 

Aooor^g to another aspect of the invention, the l^treDtn con^jxises two 
portions, a data portion representing the user's derfgn that can be encryptBd or 
20 not, and a oontro J portion controlling loading of the bitstream (lor example 
giving addresses of columns in the FtD into whidi sucoesshre portions of the 

12 
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bltstrcam are to be loaded, providing a cyclic redundancy check (CSQ cod* ior 
checking TeHability of the loading operation* and a starter nuianber for cipher 
block chaining (CBC), a technlcjua that prevents a "dictionary attack" where 
the decrypted data can be deduced from Ave frequency of occurrenoa ot the 

• i encrypted data). In a preferred embodUncnt of the invention, die data portion 
may be encrypted but the cosntrd portion is unencrypted. This provides 
additional security because die FLD manufacturer needs lo desccQw fvedly the 
oontroi features of the bitstreanv and If this relatively well known control 
miorraation were encrypted, an attacker might be aWe to decrypt this 

10 Informatkm and use this information to decrypt the entire bltstreaoot. Further, 
Jceeping the control portion of ibe Mtatream unencrypted makes it easier for the 
FLD.to use the information. 

In anodwat embodlmenl^ used when the order of addres9es in which 
configuration data is loaded may be useful to an atiadcer in analyzing the 

U design, the address of the configuration data is also exicrypted^ but other 
oontroi information in the configuration bitstream remains unencrypted. 

Hgs. 4a4d illustrate dlf{iecences in bitstream format and rtagbteia of 
M configuration logic 29 in con^ison to the format and registers of 

configuration logic 14 of the prior art product shovm in Figs. 2a>2d. As ahowm 
in Pig. 4a, the bitstream still indudes header words followed by data words. In 
a typical oonfiguraHorv several oontroi data words will be loaded into registers 
before encrypted conRguration data begins. Hg, 4a shows en example in which 
23 three header words Header A, Header B/and Header C are each followed by 
titree unencrypted oontroi data words Data A/ Data and Data C (Ihan 
actual configuration, moro tiian &tree control data words win liAo^ ^ 
provided. ) Next, Header Dspedfics that encrypted configuzatlon data will 
follow and is followed by multiple words Data ID, Data 2D, Data 3D, etc of 
30 encrypted oonfiguiation data. These words have been shaded in Rg. 4a to 
eor^riiasiza ftat tihis data is encrypted. 
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As shown In Rgv.^ and 4^ a fourth op ood« has been added. Ln 
addition to the valuer 00 for no operation, 01 and 10 for read and write without 
decryption, the new value U q;>cd£ee tliat writing id to be with decryption (It 
18 not important what coda ox what meilwd ia used to spedfy that decryption is 
5 to be used or even that it is specified thiou^ an op code. It ia}us( important 
that optional encryption and decryption be allowed and indicated, so that 
deaignera can make use of due option. lnBieeQ^x>dimentofFl9.4d/twonew 
coniiguration logic registers are added. Shown at addresses 1 100 and 1103 are 
the te^fstet for hiding a dpher block chaining (CBQ starter value and the 
10 address for the initial encryption key. 

Optional gj yy y p^o| t 

According to anothor aqpectof the inventloxv a FID can accept both 
enoypted and unencrypted data portions of Qtt hUstream. The control pwlton 
IS of the bi bstresm indicatea whether the dots portion of the bitstreom is 
encrypted. U the data portion of the bitstream is encrypted/ it is diverted 
within the VVD to a decryptor and after deoTptitni is used to configure the 
PUD. If unenarypted, it Is not diverted, and is uaed directly to configure tiie 
PLD. 

30 There are some oocaelans for whld\ It is preforeble not to encrypt the 

bitstream. Certain test activldes used during debugging a design require 
reading back the coixfiguration information. It is more rtrcdght forwatd to 
diagnose a configuration pi-obkm if an encryption step has not been performed 
(especially if the designer is trying to detoTninc wheUier encryption has 

35 anythir^ to do with the problem). Also, tf several designers arc writing code to 
be iiKiplemented in pai^ of the FLD and different parts of the FLD are 
ocmflguced at different times, it may be necessary to make all portions o£ the 
bitstreann visible, and to allow the PLD to be portly reconilgxtfcd. 

Hgs. 5a and 5b show example bitstream portions representing the same 

30 design^ first ui^encrypted and thim enoypted, to fUusbrate tlie differences 
between an unencrypted b Itetream and an encrypted bitstream in one 

M 
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embodiment of the invention. An actual Utstream Indudee the (Ks and !'» at 
theright of the figures and none of the text at the left The text at the left is 
provided to explain the meaning of the bits to the right Ihese bitstream 
portions use the oocmnands iilustrated in Figs. 4h-id, In order to ernphasaze 
$ the di{fecenoei» between the unenoTptedvec^on of Rg. 5a and 6ieenciypted 
version of Fig. Sb, the differences are shown in b^. 

tookin^ at Fig. 5^ after a dummy word (a constant high signal 
interpreted as aU I'a} and a sync word with a apedfied pattern otf I'a a^ 
the next word ie of type 001 with an op code of 10, has an address of 

10 OOOOOOOOOOOIOOOO and a word count of 00000000001. Thus Ihis word addresses 
the oomznand register C^fD and fipedHes that one word will be written there. 
Pig. 9a has been annotated to ttte left of the bitstream to indicate thai (his word 
is lype land indicates to write 1 word to CMD. Ih« following word 111 ie the 
data to be placed In command xeg^er CMD, and resets a CRC ((ydic 

15 redundancy <heck) register. (In a preferred embodiment; the PLP indudea a 
circurl, not shown, such as described by Brickaon in VS. Patent 5^>424 to 
calculate a CKC value from ^ bitstream as die bitstream is being loaded, asui 
protects agamst glitches in the bitstream voltages that might cause incorrect 
bits to be loaded.) Next> a header word spedfiee^t&e format b again type I 

20 and it spedfies to wiital word to iJwitamolex^ register HJR. 

word that foOowS/ 11001^ specifies the frame length (25 words). Srnilatiy^ 
severs! additional header and data words follow/ Induding tho header 
spedfying the word to be written to the frame address register JAR. In this 
case, the following data word indicates data will start at address 0. Fmdly, 

25 after these registers have been loaded^ a command cunes to writs data to the 
frame date ii^ut regjbtcrFDRC and since quite a bit of data will be written, the 
word count is ^en as OOOOOQOOOQO and « header of type 2 spedfies that l(Ki30 
words will be written to the FDEaccgJster. is the actual design data that 
causes the PIX> to be configured. Thus the next 10630 words hv the bitstream. 

30 are design data. Rnally^ to assure that data have been loaded correctly^ the 
CRC value calculated by the device that ozig^ted die cosnfigurationdata is 

u 
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loaded and compared to the QIC valiw that has be«n calculated by VLD. 
Additional oonunandB and data wn loaded in enter fo bidlcftte ttiat 
confiS"^^^ ^ complete end to move the PU^ into operation mode. 
Hg. 5b is similar to Hg. 5a« and differs only where the data and 
i annotations oxe shown in bold. In Hg. 5b, the data ore encrypted/ and 

additional commands axe ased to pxovlde the initie] key address and to write 
two words (64 bits) to the CBC (dpher Mode chairang^ regiister. Nexi atype 1 
header indudes tfae-op code 11 and indicate* that data will be decrypted before 
being written to frame data input re^eter FDRI. A type 2 header follows, ag^n 
10 with the op code giving the instruction that 1(^30 words are to be 

decrypted and written to data input register WBL The 10530. encrypted data 
words then follow, llien the CRC word foUows for confirxnii^g that the 
(encxypted) data were Loaded co!Krecfly.' FinaUy, the additional commands and 
data are sent, and place the PLD into operation mode if aU Is ooxrecL 

IS 

Decryption Process 

Hg. 6 shows how optional decryption is accomplished in one 
embodiment Fig. 6 ahows the detail of conftguzation logic 29 and of buses 27 
and 26 leading into deoTpfor 24. Bus 27 indudes the following: 
20 Athe S-btt initial decryption Icey address "Ihitjcey^ddx^ taken from 

register address llQl CRg. 4d) b) conSguration logic 29, ' 
•Che 64-bit modified cipher block chaJning value "modCBC, This value 
is formed by replacing the lower order bits of the 644>it CBC 
value taken from register address 1100 (Rg. 4d> in configuration 
3S logic 29 with the 22-bit Frame Address value spedAed in Register 

0001. 

>the 64 lines 'Ehcryptcd^data'' for loading encrypted data, taken G»m 
ttiebttstream^ 

•the 64 lines Ttectypted^data" for returning the dccr^rted data 
30 produced by decryptor 24 to configuration logic'29. 
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•a line for the 1Snc;.data jtl/* that tells deciTptor 24 that deta is 
on the '*'Bnciypte(Ld«ti^ lines and dtat deccyptor 24 can start 

decryptiivg, 

•a fine for the elgnal "VecjiaXaj^y" that teSk oonfi^puration logic 29 
i thatdeayptiononaM-bitwordiseoo^leteandifavaUableon 
the 1>ea7ptedjdata'' Unes, and 
•A BadjM^^ line used hy decryptor 24 to cause confisuiation logic 29 
to «Aoct the configuration azid set a status register aocordlnglly 
idien Uie keys have not been used as spedfied, for examjf^e, by 
10 the bita in key memory that designate whether the keys' are to be 

fiist middle, or last of a set. In the embodbnent shown in Bg. 4d/ 
the status register is at address OUl, and the Bad Joay.^ cnor is 
indicated by storing a logic 1 In one of the bits. 
Bus 28 is comprised of ttie foUowhig: 
15 • 3 lines lor the key address^ which is initial^ the key address provided 

from bus 27, but wHdiie updated each tlznea neiv key is used, 
•56 Hnes for the decrypticm key, and 

« 2 lines for indicating whether the decryption key is the first, middle^ 
last CMT only key to be tised. 

30 . 

One potential attack on a design in an encrypted bitstreom is to dhange 
the ficame address regUtes (starting address) in the encrypted bit^treani so that 
when it is decrypted it is loaded info a portion of the FPGA visible when the 

2S FPGA is being used. In some designs the content of the block RAM is visible. 
In all desi gna the configuration of the Input/output ports is visible and 
tiMceftMe die configuration bits can be detennined. Ihus if successive pwtions 
of fte design were ntoved to visible portions of the EPGA^ even though (ho 
FPGA did not function properly, an attacker could in repeated rdocatLon learn 

M the contents of the unencrypted Htstream. 
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To prevent design relocntion, ui one etrbodkaoA, an initial value used by 
the dpher block chaining mefiiod used Mrltfi the DES standard ia modified. 
Egs. 7a and 7b show the encryption and decryption portions of a triple DBS 
Blgonthin, respectively^ as modified according to the invention. The siithdard 

5 c^her block chaining inetlwd starts (he enocyption process by XORing a 
starling number (can be designer supp&ed or candomly generated) with the 
first word of data to be encrypted. According to tite invention^ part of die 
random number is replaced by address information, in the pcesent example the 
22-bit address of the first frame into whidi data will be loaded in ct^ifigm^tion 

ID memory 12. The starter CBC value, a 64-btt number^ has its least signliicmit 
bits« labeled replaced by the frame address, labeled y, to produce a modified 
et-bit value that depends upon the address into which data will be loaded. 
This modified CBC value is XORed with the first word o£ con^uratba 
information WoidX. then the encryption algtuilhm Is used to produce die 

IS Disi dvcrypled v/otd Encrypted Wordl, which bt placed into (ha blt»(mun. Hg. 
7a shows a triple encryption algorifiun with outer cipher block diaining, 
comprising an encryption step enc, using tiae first key, followed by a 
decryption step dec, using the second key, followed by an encryption step eiu^ 
using the third key. This first encrypted word Encrypted Wordl is XORed 

20 with dte second unencrypted word Word2 and (he encryptianfHVoess is 
repeated to produce encrypted Word?. The XOR chaix>ing continues until all 
configuration data have been encrypted. 

As shown in Fig. 7b, the PLD must perform the reverse process to derive 
the decrypted words. For the above encxypilon sequence, the decryption 

2S sequence would be decxyption step dec, using key 3^ ften enctyptini step eni^ 
using key 2^ tfien decryption step doc^ using key 1. bnpoztantly^paftof the 
initial vakie k(t generating Decrypted Woxdl is to use tfie same frame addxttss 
for both encryption and deayption. The FLD, not the bibitreasn, generates the 
modified CBC value from frame address stored m the frame address 

30 register, which is also used to spediy the firamc of configuration memory 12 
into whidi oonfiguraiion data are to be loaded. So II an attadeer dwnges Ote 
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frame addr«s» into which tha data bk to be loaded, 6w modified CBC value 
changes accordingly, and ^ oonBgutatlon data are not correcdy decrypted. 

The XC^ step pcoduces ihe original data that was in the designer's 
bitGtreain before it was encrypted. Original Wordl a Decrypted Wordl, for 
S example. Thb decrypted configuration data is sent an bus 27 (Fi^ 3) to 
configuration logic 29. 

CWiyutation Logic 29 

Con5guratic»t logic 29 includes the structures to support optional 

JO enoypdon as as the structures to prevent desi^ relocation and a tingle 
key attack. As shown in Hg. 6, ooitBgumixon logic 29 includes a holding 
re£^ 292/ contiol logic 291, oon^tiration cegistem (SDRC FAIC CRC, an^ 
init CBC are ^hotvn), decryptor 2A inteifBce multipteKsn 294 and 295, 64rbit 
assco^ly register 297, and registers 298 and 299 (for inteifadng with 

IS coneguration access port 21). A 644>it shift register 299 receives data from 
configuration access port 21, which can be o single pin for 1-blt wide data or 8 
pirn for 84}it wide data. This data is loaded into 644>it shift register 299 until 
register 299 is full Then these 64 bits are preferably shifted in parallel into 64- 
bit transfer register 298. Bom there/ multiplexer 296b alternately scteeta tight 

30 and left 32-l7it words, end tnuli^lexer 296a mores the data 32 bits at a time 
either into holding register 292 or alternately into High and Low portions of 
assembly tog^ter 297 as oontroUod by control line M When loading of the 
. Htatream begins, line M and a dock signal not shown cause multiplexers 296a 
and 295b to move data from 6iAnt transfer register 298 to holding register 292. 

25 From there these words are applied to control log^: 291. Ifdwwordiaa 

header/ control logic 291 interprets the word. If the op code faidicateo the data 
to follow are to be vindtten unencrypted/ control logic 291 places an address on 
bus G to select a register, places a signal on Bne L to cause ainltiplexec 294 to 
oaancct bus B to bias P, and applies the foUowing word on bus B. Onthexusxt 

30 clock signal (cLodc signals are not sho^vn}/ the data on bus V are loaded into the 
addressed register. AU registers ^atown In Fig. 4d can be loaded this way. The 
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inUCBC register for loading the initial cipher block dudning value 19 b 64^t 
register and receives two consecutive 32-bit words, as shown in Hg. 5b and 
discussed above, 

A modified CBC value formed from (1) the ojigmal CBC value stored in 
S the Jnit CBC register and (2) the inifid frame address stored In th^ 

is available to deoyptor 24. In one embodiment, the iratsal ftame address in 
the FAR register uses no more than 32 bits while the imt CBC vahie uses 64 
bits. In the embodiment of Hg. 6, the 61>blt bus providing the modifiod CBC 
value includes 22 bits firom the frame address register FAR and 42 bits from the 

10 init CBC register. Important to the security provided by the present invention^ 
note that this value depends upcm where configuration data will be loaded. If 
an attacker were to try to load encrypted data into a difCerenl place by 
changing the contents of the FAR register, ttte nuxOC vahie fled to d 
24 would also change. 

1$ VVhen the op code contmand to decrypt a number of words of 

configuration data is received by control logic 291, the decryption process 
begins. Control Jine M causes multiplexer 296^ to apply data fi-om transfer 
register 298 to bus A loading to asseoibly register 297. Control bus H 
alternately connects bus A to the XSghlSliO] and Low[31:(H portiosta ol 

20 encrypted data cegiBter 297 to ftmn a 64-bit wwd to be deciypled. Contro 
logic 291 then asserts the Enqjdata^y slgna^ which fflusea doayptox 24 to 
decrypt the data in register 797. 

To perform the decryption^ deoyptor 24 applies a address KeyAddr 
on bus 28 to key memory 23 ^ig.S), Thiscauseskey memory 2$ to return the 

25 S^bit key in that address on the 56-bit Key lines. It also causes key memory 23 
to return two additional bits "Order^ also stored fn the key data at to 
address. For the first decryption key, these two hits nuut faxdicate that this is a 
iuBt key or an only key. If not> decryptor 24 asserts the Badjceyjset signal, 
which causes control lo^ 29 to abort the configuration operation. If diese two 

30 bits indicate ihc key is a first or only key, decryptor 24 performs the 

decryption, using for eKarnpte due well known DBS algorito (described by 
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Schneisr, ibid). U the key isn't an onljr Icey, dittcryptor 24 ttien ttie key at 
d\e next address in key memoty 23, oad diecka to see if the two Order Hta 
indicate it is a tjuddle or last key. If noi, the BadJceyjet signal is asserted and 
the o(»\figuradon is ai>orted. Lf 90, deciyption is perfonned. If it is a middle 
s key, another round of decryption is done. If itisthelastkey,decryptor2i 
fonna the XOR function of the deaypted wont and the vahte owdCSC 
Dearyptor 24 then pbces the resultant value on tihe M-bitDacryptedLdata bua 
and assecis dieDecjdataudy signal Hits cauaes control h)gic 293 to place 
signals on control line K to cause zmdttplexer 295 to bxeak the 644>it word into 

10 two sequential 32-bit words. Control logic 291 places a signal on line t to cause 
multiplexer 294 to foTMrard the 32-4xit words of decrypted data to bus D. 
Control \o^c 291 also places address signals on bus G to address frame data 
input register FDRL The next dodc signal moves the deoypted data to bus 6 
Mduie it is loaded into the fesme register and when the fnnw Tttg^ is ft^^ 

15 eventual shifted into eoonfigurationmeinoiy 12 at the oddxeae Indicated in ^ 
FAR register. 

The modCBC value is used only once in the decryption operation. 
Subsequent 64rbit words of encrypted data are decrypted and then chained 
using the previously decrypted data for the XOR operatba (Ihe value stored 
20 in the FAR register i9 also used only once to 8€}ect a frame address. 

Siibsequendy, the frame address is simply inotemeated every time a frame is 
flUed.) 

Roiv of .Qp^tigpa 

25 Hg. 8 ii>dicatx:s tiie Sow of operations performed by configuration logic 29 

and decryptor 24. ConfiguretiOR logic 29 begixis at step 70 by loading the 
Utsfream headers and pladng tiKe corxesponding data into oonfiguxation logic 
reglstmdtovm in Fig.4b^indludingdetexndnir\gbitstteaxn length. AtstcpTl/ 
as a further part of the start-i^ sequence, configuration logic 29 reads the fleet 

30 configuxationmecoory address. Recall that the bitstrcam format includes an op 
code Oiat indicates whethficenccyptkm is boused. S(ep72bfanchesonthe 
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op code value. If encryption is not used, the pMKsss is shown oa the left 
pOTlion of Fig. 8. If encryption is used/ the process is ^own in (he li^t of Hg. 
8. For no enctyption, at step 73, configuration logic 29 sets a counter equal to 
the Irftstream word count (we Fig, At step 74, 32 bits (1 word) of 

5 configuration data are sent to the addressed frame of configuration memory 12. 
If step 75 indicates the counter is not finished^ then at step 76 the counter is 
docremented end iSbs next 1 woxd of oonfigiuratlon data aec sent to 
configuiation memoty 12. When the counter has finished, configuration logic 
29 perfonns dcanup activities including reading the final cyclic redundancy 

10 value to compare with a Vahic at the end of the bitstxciim fo determbis Mdwther 
there were any errors in loading the Utstream. 

U step 72 indicates the bltstrcam is cncryptod* the counter Is loaded with 
the wotd count, and ot etcp 81 the process toads the initial key address £rom 
key address register 293 (Hg. Q Into deayptor 24. 

15 ■ Atetq>82, two words ($4 bfls}aFcneiyptedconfigu»atlon date ore 

loaded irtto dccryptor 24. At step 83 (he addressed key Is loaded into decryptor 
24. En one embodiment, a 64^t number is loaded into decryptor 21 Ttaa 64- 
bit number includes a 56-bit key, two bits that indicate whether it is the finst/ 
middle, ta$t,<» onfy key, and ewne olherbUs that may be unused, used for 

ao parity/ or used for arwtliec purpose^ In anottierembo(Um«ntflieMrWt key 
data includes a djng^e bit that indicates whether it Is or is not die last key. In 
yet another embodimearit, the 64^t key data indudes an address for the noct 
key so the keys don't need to be tsed in sequential order. En another 
ecnbodiment, extra bits are not present and (he key data uses lees than 64 bits. 

2$ In yet anothcT embodiment die bitstieam rather than (he key iTKlicatee how 
many keys aze lo be used, but Hds is bdleved to be less secure because an 
attacker can see how many keys are used and perform a single key attack, 
breaking one key at a time/ whereas usiixg (he k^ to indicate how puny keys 
are to be used does not ^ive this information to an attacket. 

30 At step 84, decryptor 24 decrypts the 64*bit data with the 56-bit key using, 

(or example, the DBS algoxithm. The DES algodthm ia described in the above- 
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mentiosiedbo^ by QntceSdhneier at pages 265 to 278c Other enccj^tUm 
algorithms may also be us^d, for example, the advwced enayption abrndard 
AB5. Other algoriduns may x«qture xxnote key bit». Bor axample AES requkes 
a key of 128 to 256 bits. 

5 Step 85 detmnines vs^eSxer more key* are to be used. The two bits that 

indicate whether the key is first, middle, iast, or only key are cxamizted b 
detemdne whether this ia the laat key, aii4 tf not key addreasis 
increovmted and decxyplor 24 addx<w$e» thetwxt key in meoK^ 

After tha last key has been used, at step 97, the modified CBC value 

to shown in Hg. 6 as a $4-btit value front eonibimrig registers PAR and inlt CBC is 
XOZ^ with the decrypted vnlue obtaiited in step 87. Ii\ oirte en\bodiment, 22 
bits of tiie raruloxn number loaded Into the CBC register are replaced 
with the frame address of the beginning of Qie bitstceam. Iha goal of the 
enaypdon process is to have every digit of 64^t encrypted vahiebe a 

1$ function of all previous bits plus fhe key. 'Ehegoal of condiining the CBC 
value with the first address is to cause Ihe decrypted v^ues to disnge If the 
bitstream is loaded into a different address from the intended starting address. 
Step 87 achieves both goals. The new value is then stored. Storage may 
be in fhe FAR axui inlt CBC registem dwwn in Rg. 6^ or in aiwthar 

20 located in dectyptor 21 

At step 88/ this decrypted configuration data is sent on bus 27 (Hg. 3) to 
configuration logic 79- Configuration log^c 29 calculates an updated cydlc 
redundaxxcy <3\e<k value to i>e compared with the cydlc redundancy value 
stored in the CHC register at the end of ^ loading process. If configuxation 

2S logic 29 has boen set to use encryption/ a multiplexer in configuratiozi logic 29 
forwards this decrypted configuration data to the addressed a>lumn of 
configuration memory 12> 

At step 89 the counter is diecked and if iiot finisiicd/ at step 9^ 
is decremented and the process returns to step 82 v^wxe the next 64 bits (2 

30 words) are loaded from the bitstreaou 
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Finally, when Step 89 iRdicatcs die counter Is 6nished, ot e6ep90/ a CRC 
(cycUc xedundancy dwck) vahie In tiie Utstream Is connpared with a CRC valixo 
calculated as the bitetxeam is loaded If tiu) va)ue$ agree, oonSguratiDn la 
cozz^lete and the FPGA goes into opeirafion. 1/ the values do not agree, a 
5 loading error has oocumd and the cntln conflguntton pxooess Is oboirteda 

Bvaluatlnff Key Order - Pteventinp Singte Key Attack 

Hg. 9 shows a state madtlne implemented by dectyptor 24 to evaluate 
key order. The state madiine xenviins In state 81 until the Enc.dat^^ready 

10 sigral is activati^. This signal indicates decryption can begin and moves to 
dedsion state Ql where decryptor 24 applies the address specified by the 
address lnitjc^_0ddr on bus 27 to bus 28, reads back & key and a key order* 
and £rom the two bits o£ key order data deteniunes wheQwr the key is a first m 
only key. K not; deayptor 24 sends OwBadJkey.set signs! to control logic 291. 

15 and eaupes configuration logtc 29 to abort iha configvtrotion. If the address is 
first or only, decryptor 24 {$ocs to Btate S3, wHth deoypts the data. Then the 
state machine goes to dedsion state Q2, wWch determines whether the key is 
last or only. If so, decryption is complete and at state St deayptor 24 cetums 
the decrypted data to configutafion logic 29. If not, in slate SS^ deayptor 24 

20 bicremenls the key address* and gets the new key. The state niacMnea^ 
question Q3 to determine whether the n«9d key is a middle or last key. If not, 
state S2 causes the oonilguraiion to abort. If the key b middle or las^ the state 
machine retiutvs to state 83 to decrypt the data again. In another embodiment, 
in state S4 decryptor 24 also performs Ote step of XC^EUng the deor^fxted data 

IS wiihaCSCyalue. 

The benefit of storing the key order within the keys is that an ettadcer can 
not io^ement a sin^ key attack because the attacker can not prevent 
deoyplor 24 from using all tiie keys spedfied by Icey memory 23 (as Intended 
by the designer) when performing decryption. It is not necessary to ask the 

30 second and third questions Ql and Q3 to protect againstan attadcet using a 
loi^c key attack, since the key order is stored wiftun the key data inside ^e 

24 
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PLD. However, it is benefidul to tfae designer or board tester who loads Ihe 
keys to adc an tfuee questions to txaJtje suretfiat each key hae been Iabel«d 
correctly when it is loaded. 

In one etnbodunent deoryptor 24 uses the txiple DES standard with a 
S dccryptioA-encryptlon'dccryptioa sequence, altcnutting flw> algorithm (only 
eli^tly) each ttme ano^ier key is used. Such a comblnstion Ss in accordance 
with the ANSI X9^ 1998 WpfoPBS standttd anoto ombodioient, 
deaypdon is used each tinte. 

10 Key Memory 23 

The djcuit shown in Fig. 10a includes three components: battery supply 
switch 22, control logic 23a and key registers 23b. Control logic drcult 23a and 
• key regisfiers 2Sh comprise key aiecnozy 23 of Fig. 3. In the embodiment of Hg. 
lOa^ key registers 2% comprise ebc6i4}it words. Of cpuxse, other key meouxy 

15 sizes may altemativdy be used. £a other embodiments^ fluae may be tarmoce 
lhan six keys stored in key memory 23, and more than 3bits needed to give the 
address of the key to be used. The power supply for key registers 23b ownes 
toax ba ttety supply switch 22 on line VSWITCH, When key mewory supply 
voltage VOa Is insufficient or not present, battery siq>ply switch 22 applies the 

20 battery backup voltage VHATX to the VSWnO^I line so that WWnra 
apoidtivevoltagia. 

In ^eirlmUmaiU each key register has 64 meinoryodls. Each cell 
receives a wri te enable ^gnal WB, dui t when hig^ causes data to be written to 
the cell and when low causes data in the cell to be held. Cells in <me register 

25 have a rommon write enable signal WE. When ihe PLD supply voltage 
(dUferent from VCd) is absent sudt that the WE signab arc not actively 
driven, weak ptdMown transistoiB such as Tl pull down d)o WE signal so that 
none of Uie key memory reglstars can be addressed, and none of the memory 
ccUsaredistaxbed. 

SO . In one embodiotent the KAG port of a PLD is used to load decryption 
keys into the PLD. Ihe metnory ceU siqpply voltage Is at the device voltage 

JS 
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level of VCO during normil opec«lion, and in one «ihbodiment this Jevel » 
beMv«ejt 3.0 and 3.6 volts. Signals ^pUed to fte JTAG port may be sever^il 
different voltages. Aiso, &ere may be saverai different internal voltagea. Hius 
voltage translation is needed, Utia voltage translation t$ performed in the 
• S memory celle. Detail of a memoiy cell t» shown in Rg. 10b. The latch 

eon^rlsing inverters 31 and 12 Is powered by VSWrZCK and is thus powered 
whether or not a device supply voltage VCQ is present The WE signal and 
(he inverted data signal datajb both operate at the 1.5 volt Uvd. These signals 
drive NMC^ transistors T4, T}/ and T$, and through inverter 13 (also using the' 

10 l^vdt supply voltage) transistor 77. Fig. 10b shows that when WE is low, 
transistors 74 and T5 ore off, and the content of the latch comprifiing inverters 
U and 12 is retained. When WE is high, one of inverteisn and 12 is pulled low, 
thus loading ^ new data into tiie latch. 

Control logic circuit 23a receives ngnab from JTAG bus 25 (also chown in 

1 5 Fig. 3). )TAG hua 25 tndudea control ngnab for miting, leadings setting the 
secure mode, and data and address buses. This interface conlbtms in the IEEE 
1532 JTAG standard. Before key memory 23 can be accessed throu^ JTAG bus 
23, the security status (bus 26) is placed in non-secure mode, which can be done 
using ttte JSCJPROGRAMJ^CUKTTV instrudion (see Fig. lOa) ond applying 

20 logjc 1 to bit 0 of tho key data1>us. Key memory 23 is written to and read {tot 
vcriAcfttion) from H'AGbus 29 using the ISCJPROGRAM and ISCJCEAD 
instructions of tho lEEB 1532 standard. Coontcol loglo 23e includes a decoder 
for decoding the 3-bit address signal ADDR from JTAG bus 25 to produce & 
low-going pulse on the addressed one of Write strobe Hncs WBjbI5:01 if the 

35 ISCJPKOGRAMinstnii^on appears on JTAG bus 25, or a hi^ signal on the 
sddiessed one of lead sdect lines r&el{5:01 if the ISCJCEAD instruction 
appears on )TAG bus 25. Oneof the Bb(64'bit words can be read by applying a 
high signal to one of the sbc read select lines cseUSrO], which causes read 
multiplexer 23d to place the selected word on Che tfl output lines ^63aO]. Only 

Vi one of the wi'ite select lines or read select lines is eelectsd at one time; Whenno 
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read «decl dgnal is asserted, a Ugh padO<w signal causes 64 
pull down ttie M Unes <i6SiQ] and prevent these Uims from ftoating, 

If key memoiy 23 is operatmg in non*«ecuce mode, the 6d-Wt words cm ■ 
be read from key registers 23b to JTAG bus 25 where the vaiuca can be 
5 oxaoiiiwd external to the FPGA/ the FPGA can be tested in tidanon^^ 

mode by using 56 bits of a selected 64^it word in re^iislexs 23b as the 56l>lt key 
fior DBS decryption. In one embodiments when key otemory 23 as In noa-«ecure 
mode, zeadback o{ a tree's ^teEdgnts pos^le tsvm though the design has betti 
encrypted before loading. This aUows the designer to test and debug even an 
10 encrypted design. CoinmunicationQf lhekey6eciiritystatu8i8thtDU£^bus26 
(see also Hg. 3). 

After values have been written into key registers 23b and verified with a 
read operatian finom bus 25, oontrol logk 23a is ^aced Into secure mode by 
using (helSCJPROGRAMjSBClJORnYinstzucdon and ikying k)gtcO to bit 0 

IS of the64M)it key data bus which is pattof ihe lEBB 1332 standard, In fheaecun' 
mode, no access to ^e keys is granbed. 

As shown bi Hg> 11/ to assure that an ettad;er cannot return to the noit- 
secu^inode by using the ISCJ^OQlAMJSECUItirY instruction and then 
reading out the key^ if ^security is eliminated (if the 

^ ISCU'ROGRAKJSBCXffinY^gnal moves to the nox^^ 

nuK^iine in control logic 23a erases keys by miting seros to aO dx words, 
one word at 0 time. This is done by: in step 110 putting zeros on the 
wdalaI63.-Cfl bus and at step 111 asserting the wsJbtO] signal (with a logic 0 
value)^ Aen at steps 112-U7 suooessivcty strobing the ws_bfO:0] thxoixgh 

23 ws.bt5:0] signals one at a time before changing the security status at step 118 
and entering the noo^eecure mode, and finally at step 119 xeleasing As 
wdata[63K)]k>gicOvahies. Ttius, any atteixH>t to plaaabattczy backed iq> 
memory 23 into a AQn^eecure mode causes all values in key reglstexs 23b to be 
eicased. 

30 To communicate whether key memory 23 Is In secure mode, control logic • 

23a sends a secui« mode fi%nal ontws 26 ^y be a sinc^ Une) to confi^^ 
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logte 29 to indicate that keymemoiy 23 is opentiAgtAsecuien^ If (his 
signal switches to non-secure mode^ oonfiguniton lo^c 29 dean the design 
firom configuratiojn memory 12. Note that an unencrypted bltstrcam may be 
loaded by configuration logic 29 into configuration memory 32 even Chough 
s keys are stored in (ceyr«gtstos2Sb and key memory 23 Is io a secuEeitwde. 

JU»dinp theKevs. Mult^leBhcrypHon Keys 

Decrypting keys must be loaded into the PU) before the PLD is put into a 
secure mode whcro a user can not tearn details of the dcdgn. Xnttie 
10 einbodimsnt shown in 3/ the key or keys are k»ded through a JTAG port 
20. 

As a feature of invention, the enoyption keys axe loaded through this 
p*AGport20. It is e>qpected that JTAC ptpgracw n ers will load the enqyption 
ke)^ during board testing. When ^ RAM for storing keys is in a non-secore 

15 mode, the user has full eccevs to it and can read out bo^ ^ keys and the 
design, even if the design has been enoypted. This is usehti for the designer 
while testing the keys and the use oi the keys. Then once the designer U 
satisHod with the operstioa he or she can send another instruction through the 
JTAG port and place the key memory into a secure mode. C3Snoe the key 

20 memory has been placed into secure omds/ (he keys cannot be read out 
Further, moving the key memory from secure to non-eecure mode erases the 
keyn by activating; a drcutt that starts up the nusnory initialization process. 
(Fig. 15, discussed below, shows a state machine for pcrforxning this functioa) 
Accx)rding to one a^ect of the invention^ more tfian one key may be used 

25 to encrypt the design. For example, if three keys axQ to be used/ the bltstream is 
first encrypted using the Rrst key, thenttie restdting encrypted UHstreem is 
again enoypted using the second key, tfum&uiBy title resulting doubly 
encrypted bitstream is again enoypted using the third key. IMsts^^ 
encrypted bitstream is stored, for example in a PBOKf or flash memory on the 

30 printed circuit board that hokts the FLD. 
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For deczyptiorv^ these hoys are used in sucoesskm (revezso order) to 
repeatedly deiscypfc (he «iuxypfedbitBtreain. nuthcrto^,if znorekeysore 
stored in the PLD than ore used lor dcaypting a particular design, the 
enoypted bltstream may Uudude in on unencrypted portion an indication of 
S how many keys are to be used, and tho address of the first key. Such an 
embodiment may make it easier lor an attacker to decrypt the bitstream 
because tho attadcer noed only deal with one key at a time. Alternatively/ Ihs 
keys thenuelvea may indkate whether they ore tlte 6rst, n^ddlcv te»C or 
keys. Thu8 die same PLD can a t different ^es be programmed to perfonn 

to different function» (configured with different designe)^ and Infonnadon about 
the values of title different keys can be made avaSobie to only one or some of 
the dedgnera. Thus a first designer may not learn about a second design even 
though both designs are Implemented in tihe same PLD (at dllferent times). 
Bsgaxding JPig. 3, confiswation lo^ic 29 tnctudes additional logic beyond 

u conflguratkm logic 14 of Hg. 1. As in the sttucture of ng. 1/ the Wtiftream on 
configuration access port 21 Is treated as words, in one embodiment 32-4>it 
words. Several of &e words, usually at or near the begSnnli^ of the bitstream, 
contain Iteader infonnatioD, for example length of tiui bllstream> starting 
address for the configuratittn data. New to Qie bhstream of the present ' 

20 invention is an indication as to whedter the bitstream is enoyptedr and tihs 
address of a key for deeryptlt^ configuration data in <hs bltatream. 

Battery Backed up Memory 

Values stored in key memory 23 ve preferably retained by a Inrttecy 
25 when power to the FPGA is removed. 

Further, other memories than eivoryption keys can also be backed up 
using a battery sc^ply switch such as swztdi 22. In particular, a FLD can be 
manofacturad in whiditheVSWITCM v<dla8e supply is routed io all flip flops 
in tiwPLPtf the pucpostt Is to preserve data generated by ttiaFIP when tito 
30 PLDxspoweieddcwn. And If the purpose ts to also preservaoonfigtxcstkm of 
the PLD when the PLD is powered down, configoxationmeinory 12 (Hg- 3) 
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ttrny altexnattvely be powered from VSWTXCli though such an embodiment 
requices considerabty more battoiy power dtan does powering just Ae flip 
flops in the VtD, and powering flip flops in turn requires more batteiy power 
t^n does poweitng a veiy small memory for storing a few enoyption keys. 
5 Fig. 1 2 shows a structure for battery Bupply switdi 22. In tius 

embodiment, V6A7T level shift circuit 31 dUows the TW to use different 
v^^tages for the berttery end main power $u|^y. And of course the purpose of 
the circuit Is to deal with vaiying voltage levels. In one embodiment; battery 
supply switch 22 can handle VCCI voltages up to 3.6 volls,; and fwUdies to 

10 battery power when VCQ fails below about 1 volt Battery voltage can be 
between 1.0 volts and 5.6 volts. 

Battery supply switch 22 indudes iour output driving T-dumn^ 
transistors PO through P3- Transistors PO and Fl turn cm and off together as do 
transistors P2 and F3. The circuit indudes two tcansistocs for each leg instead . 

13 of one in order to avoid any possibility that VCQ and VDATT wat be 

connected together. TransistDr PO indudes a paradise diode (the p-n junction 
between the dram and substrate) that can conduct current upward in the figure 
even when the transistor is off. To prevent such current flow, tranststor pl is 
added and has its stdwtcate connected to its drain so that pacadtk diode 

20 condudion can only be downward. Aafaidlaranrangementismadewith 
transistors P2 and F9. Hius there is no possibility that cunvnt will conduct 
from VBATT to VCQ or from VCQ to VBATT. Invertera 33 and 34 are 
powered &om the VSWnXH voltages, so they arc always opetatianal even 
when VCa is off. Transistor P4 is a re^tor^ always oiv and provides 

2S protection against eiectrostatiedisdiaji^. Most of the time, the structures 
controlled through honsistor P4 do not draw current, so then is usually no 
ventage drop across transistor Ft. 

ng. 13 shows one embodiment of VBATTlevel cMft dreutt 31. Output 
voltage at teiminal OUT is contioUcd by dgnais IN and INB. These signals are 

30 generated by Inverters 33 and 34, which derive their supply voltage from the 
VSWUCHnode. nierefore/liVSWIICH is supplied by VBATT, one of signals 

so 
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IN end 2NB wiU be at voltegB VBATT and ttw Other wiU be at grocmd. 
Howey«r,tfVSW^CHi«5Uf>pU9db7VOa<meofXMandI^row^ 
VCa voltage level. IfINlBatVCaandINBi»atgtoun4,transistor45wiIlbe 
on^ndtransistof 46 wUl be The gate o/P<hamel trazudstor 43 wiU^ - 
S andtamisistor^wiUbeon.pulUngtheinputof Inverter 47 to VBATT. The 
output of tFsnsistor 48 will also be at VBATT. Relumiztg to Kg. 12^ a voltage 
level VBATT at the gate of transistor PO will positlpe^ turn o£f transistor FO. 

Bg. 14 shows VCOdetect drcuU 32. VCXI detect cUodt 32 detemdnes 
when^ voltage on UxieVSWITCH will be swlldwd to thebattexy andbadc to 

10 TWsembodicnent of drtuU 32 U essentially a string of five ta^ 

stages n through 15. Controlling of the switdiing voltage occurs primarily at 
Inverter stage 11. Transistors 52 and 53 form a CMOS inverter. Power to *i8 
CMOS inverter must Bow throu^i P<haaael transistor 51, whidi doesn't turn 
on until VCG reaches the threshold voltage of transistor 51, typically 07-0.8 

15 volts. tfVOa is swltchlr^slowfy, taking several iniUisedbnds to resdthiU 
voltage/ transistor 51 delays the activation of circuit II. When transistor 51 
turns on, the source (upper terminal) of transistor 52 goes to VCCL N^annel 
bcanidstor 53 typically has a tiveshold voltagie of about 0.7-0.8 volts as weQ but 
is sized as a weak transistor rotative to traz^^stor 52. bioneecnbodiment 

30 tratuistor 55 has a width/length ratio of VlSwtoeas transistor 52 has a 
wid£h/tengtKratloof3/2. SotranSiatorSSpuOstheinputofinvecterlZlow 
only until transistor 52 turns on. In one embodlmetU;, circuit II pulls the ir^ut 
of inverter stage 12 high when VCQ is at about 1.0 volt Tlaua the output of 
■ inverter 54 goes low. Inverter stage 13 is a Schmitt trigger. The zero volt input 

is to inverter stage 13 turns off transistors 56 and 57 and turns on transistor 55, 
puUing node N3 to VCCI and tummg on transistor 58, which ptdls up node Ni, 
thus raising the voltage at which tran^lor 56 win turn onr and preventing 
smaU variations In VOQ from swltdung the voltage at node N3. Ihvertets 59 
and 60are opdonal and produce a sharper edge of the output G%nalsusAatt 

30 and usebattb that cause battery supply switch 22 ofPig. 12 to SWitdi from 
VSiAlTtoVGCl Transistor 61, controlled by the VBATT signal, is a weak 



(61) 



WD0Z/44S7S pcnusoi/isoss 

pull-down fnuidetor and assures tiiat the usebatfb Une Is pulled low when 
VCa is not piesent and fitcrefore not pxovidlng an output signal fiDom inverter 
60. 

^ Kay Not Availabte fo Purchase of a Product Containing the Configuied PLD 
In order to pievent an attadcer from learning the design that has been 
used to configure the FLD^ several additional steps may be taken. 

Accordbig to another Bspod^ a Icey is loaded into die PU> before sale oi A 
system incorporating the PLD, such that after sale of a system including the 
10 PLD, the design can be Joadedlnio the PLD ajuJ used, but an attacker can not 
learn the value stored in the Icey (or keys). Thus the oxwnocypted design can 
not be read or copied. To adtieve this secoxity, several steps are taken. 

IS In one entbodhnent, there ace two security fl^ 

of Che PLP. One Indicates whether tiie decryption keys are secured, arul the 
other indicates whedier die design is a decrypted design and must be 
protected If JTAG logic 13 (Kg, 3) selects secure mode vnUi the 
l5CJPKCX;KAM.SECURnY instruction, a securejeey flag in control logic 23a 

20 (Fig. 10a) is sot If the bitstrcam loaded into the PLD has the indication that 
design data In ttte bitstre&m is enoypted^ a secure.deslgn flag in configuration 
k)gk: 29 (not shown) is set Ifdthcr flag is later unset, the entice configuratiwv 
memory is deared, thereby removing the decrypted design. If flic securejcey 
flag is reset (by an ISCJPKOGRAMjSBCUiaTirinslructioi^, then the keys are 

25 also erased. 

Hg. 15 shows a stats outdibie for pexformbig the de^^ dearing fi^^ 
When the secuFCL^design flag is set, the state machine enters state 61. This state 

monitors a diongc from secure to nonrsecure mode of the secure^dc^gn flag. 
As long as the sccvinMicsign mode continues,, the etatc madiinc stays in state 
30 51. Once a change occurs, ti)e state machirve enters state &2 and dtc data shift 
regbtem for shifting data info configuratign memory 12 are resets thereby 
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pUdng zeroes on all dfiU lines for Ihe configuration memory bits. Next, the 
«tate madtUne moves to state S3 whore word tine of the addressed trameis 

asserted. This results in the zeros on the data shift register lines being written 
into tlie jnemoty bits at the addressed frazoe. If question Ql indicates there ore 
$ niojre k^mes to be addressed, the state machine moves to stote Si where 
frame address is advano^ and the state nuKhine retURts to state S3. When 
question Ql indicates tt\ere are no more fnums to be addressedy ttvs pn^ 
done and the configuration D«mory is deaxed. 

It is also necessary to protect the k«ys trom being accessed by an attacker. 

V> Loading of the iceys is performed before a system oontainii^ the desi^ 19 
made available to an end customer. When designers are in the process of 
devdoptng the desigrw they may wish to operate the PLD in a non-secuxe mode 
forddmgging. In order to allow for this debugg^ operation and also to 
presence security of the iceya, tile Jcey loading prooesfi bc^gptt in a ftOA'secure 

15 xxtode (^clearing all key reg^Btexa. A secure Icey flag onast be kept in tiM non- 
secure mode while keys are loaded and while the Ixys are read bade for 
verification. The secure key flag may also be kept in the nonsecure mode 
while a configuratipn bitstream is loaded and decrypted. But once the secure 
key fUg is set/ rehtfxnng ^ seooe key Q^g to the non-fiecaze ou>de dem 

2D keys end also initiates opemtson of the state madUne of Bg. 15. So, not <ai!y 
are &w keys cleared, but the configuration is also cieered. 

Readback Attack M\d Readback Piaablect 

Some FFGAs allow a bitstream to be read back out of the VPGA. so ^t a 
25 user may dd)ug a design or may obtain stats madune information bom flip 
flops in titc FPGA^ Unless the design were ro-encryptcd for tixe read-bade 
operatioiv the act cf reading back the bilatccam would expose the unenayp 
bitstream to view. 

T^irthcr security ol ^ desi^ to provided by disabling xeadbedc when an 
90 enoTpted dcdgn is loaded Into the FFGA. Xa one eDMUment^nadbadc is 
disabled only if tiie deocyption keys are also secuzed. 

99 
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Kg. U shoiVB {he blodi diagram of a Structure fox loading and 
bade conRguration memory. In one embocUmoit configuraOofv logic 29 
ptevonfs ceadback when two conditions are pi«6ent: (1) the security stntus line 
on data bus 26 (&ce Hgs. 3 and 10) izuiicntes that ^ keys eie in a secure mode, 

$ and (2) oonfi^uratlon logic 29 has responded to op codes in a oonfl^uretion 
bltstream that indicftto the bUsfrcom is encrypted. So if either the keys ate not 
secund or tfiebitstteam is not encrypted, ceadbackokci be enabled bi other 
embodiments, difiietent conditions control whether readbock can be enabled. 
When configuration logic 29 recehres in the bitsfream a header indicating 

10 that readback is to be performed, it sends on line 107 the firame address stored 
in its frame address register/ which is decoded by address decoder 110 to select 
the addressed line of bus 109. Next, word line enable signal on iine 108 is 
asserted/ which asserts the selected word line of bus 109 to allow memory oaliB 
eddxessed by the sdected word line (o place theix vohies on the n data lines 102 

IS Cnistheficani6lcnglhQiidis6to9?edincoidtguiatlonlogic29). Configuration 
logic 29 tiwn asserts the Ixad signal on Une 104 to load the firame of data (hi 
parallel) into data aWft register 101. Next, configuration logic 29 asserts the 
shiii signal on line 105 to cause data shift register 101 to shift out tho framo of 
data in 32-bit wcnrds on bus 103 to the frame data output renter (see Fig. 4d) 

20 and from thero to an outgoing bitstresm on ootxfiguration access port 21 (Rg. 
3). 

If decryption is indicBted in Ote bitslream/ oonflguia lion logic 29 sets 
intennal flags to indicate this. If these flags are sH and key memory 23 lain 
secure mode as indicated by ^e secuxi^ status signal on bus 26, then 
2$ configuratson log^c 29 responds to a readback command in the tntstream by 
keeling the word line enable rignal on line 106 inactive and by kee{rfng the 
load and ^dft dgnals ott lines lOi and 105 inactive to prevent readbadc 
However, if key memory 23 Is not in secure mode, even Qioughthe desi^xnay 
be encrypted/ readback is allowed so that testing and debugging are possIUfc. 

30 

Partial Rei^jpiptiyq Att^tfr «nd Prevention 
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Some VPGAi aHoiv paitial reoonfiguxafioa of (he FPGA or allow diffcnnt 
parts of a design to be loflded into dU{ei«nt port* of the FPGA usii^ 
starting addresses and separate i^^te insbructk>Ra. An ettadcer might attan^ 
to learn the deelgn by partially reconSgunn^ the derign to lead contenta of a 

i block KAM or flip flops directly to output ports or by adding a section to an 
existisvg design to read onl inibcotttion that can be used to learn the dcaign. 
For example^ Oie attacker cnig^t partlaDy reconfigure tfie FU) 1^ 
- uitencrypted design whose only purpose Is to extract ln&>roiatlonal^ut 
encrypted design. Siich a Trojan Horse design could be loaded toto the PLD 

to with another bitstreaai or attadied to an existing encrypted bltstream; ^If the 
attacker was interesbed in learning a state madiine design loaded into block 
KAM of an FPGA, for example, the Trc^n Horse design could Indude logic to 
cyde through the addresses of the block RAM and eend the block RAM data 
coatonts to paduge pUvB. 

15 In. order to prevent an attacker from making such <3unges, if the original 

design is enctyptedt oonfZguiatlon togic 29 disaUows partial reconfiguration 
onoe configxxration with decryption is start ud. Configuration logic 29 disallows 
a further write instruction once a header wife the decryption op code has been 
processed. Also^ configuration logic 29 diaallows canf%urstioa wife 

20 deoyption once configuration without enayptton has been done. 

Configuration logic 29 accomplishes these restrictions by ignorir^ headers that 
wdbe to configuration memory after a decr^t tnstructtoa has been reoeired 
aiul ignoring headers feat have a decrypt oommai^ If an unencrypted portion 
of a design has been k)aded. Thus., if any op code indicates that writing with 

25 decryptitm is being tised, fee FLD will a<xept only a stogie write Inslra^ 

Additional Bmbodimenta 

The above description of the drawings grves detail on a fiaw 
embodiments. Hbwewr,fnaxiy additional embodiinenis are also possible. Vox 
30 e)cample,ixisteadofthec^>Ker block dtftbitogalgoritlimdlscussedBbo^ 
can use an encryption method called cipher feedbadcmodelnvyfeidt data can 
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be encrypted in units Annller than ttieblodc size; for oxompte cme S^byteata 
time. ThiB dpher-feedbadc mode Is described by Sehncier, ibid, at pages 200- 

203. 

In yet another embodiment, if cncrypfion is used, oU bitstreams must be 
i loaded starting at address 0. One implementation of this embodhnentrcplaocs 
any address loaded into the starting frame address reg^er FAR (Fig. 6} with 
address 0 whcm an op code Gpedfying cnoTption ia noehred. 

ZnstiU another cmbcxUinentrihestarllrtg address and Redesign data are 
both encrypted. In this embodiment, it is possible to load several segmente of 
LO oicxyptcd design data starting at diffietent frame addie 
with unencrypted design data. 

bi another Gmbodicnent, die key data stored in a Ic^ memory such as 
key memory 23 specifies the nuxnber of keys that will follow. En a variation on 
this embodiment, the key data also specify the number of keya that precede ttie 
IS key. If cRiattadcer gives a key address othor than iheftrst key address 
intended by ttte designer, the amagurafion may be aborted. Additionally, 
encryption will proceed urufl ttw ruimb^ of keys spedSsd wUhin the keys 
have been used. 

In anotlier embodiment; instead of allowing keys to bo read back when 
20 thekeyrnernoryiBinaim-secureonodOflhekeysirtcludeparitybltsorCRC 
cfaedc blia, and or\Ly these bits can be read back for verification thatdwk^or 
keys were loaded cozredly. This einbodlDwnlaltowa keys kruwn to oite 
dedgner to be kept seaet from anodier designer, and is useful when die FID is 
to be ttsed at different times for loading different designs. . 
3S Regarding the QRC checksum calculation discussed above, embodiments 

can be provided in which &e CRC chedcsum Is celcuUted either before or after 
a design is eiKxypted. Of course, if the diecksum added to the tntstresm is 
cakuiatad before the desi^ data is encrypted, then a corresponding chedcsum' 
must be calculated wiftiin the PLD onthe design data fiflex it has been 
30 decrypted Likeivise, if the checksum added to Aobitstreun is calculated after 
the design data has been encrypted, then die TLD must calculate due 
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conespoiuUng dtscksum on lh» ncdved bitstteam heioK the design dala have 
been deccypted. 

A further note regarding the process of loading the decryption keys^ 
when the procese Uludtrated in Hg. 8 is ueed^ it is not neoessaxy to ueea device 
5 programmer for loading deayption keys. The key» may sfanply be loaded ai 
part o£^ board test procedure. 

It ie also possible to use the etruetures and metiioda described ab^ 
progranuTung more than one RlsweUknownbouseasbig^ebtistreem 
for programming more Ham on<» PUD or FFGA, eiliter by arrangls^ several 
to devices in a daisy c!:mn and passing the bitstceamthrooigh the device 
or addressing the devices in series. It is pos92>Ie to arrange several FU>s in 
sudi an arrangement when one or mcHre of fits denoes is to receive encrypted 
design dala. 

As yet another enibodiinenir allhoug^ one eoibodiment was described in 
IS which only a single address could be specified tea a bitstream having 

enerypfed design data^ in another embodiment, sevex^ addresses, preferably 
encrypted, can be ^>edflfid for loading separate portions of a design. Further/ 
these separate portions may use ^ same entryption key or Iceys^ or Hib 
separate portions may use different encryption keys or difiierent sets of keys. 
20 Variations that have beooine obvious Arom, ihe tibove description are 

- intended to be induded in the scope of the inventtoa 
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CLAIMS 

1» A otethod of protecting 0 design for configuring a FLDooini^^ 
ok 

5 loitding an encrypted bitstream representing the design into the PLD; 

decrypUng Uie bitstream in the FIX) to produce an unencrypted 

bitstrMtn ropccsentif^ thft design; 
configuring the PLD with flw unencrypted design; and 
disabling readback of the unencrypted bltstieam. 

10 

2, A medu}d of protecting a design for configuring a FLD comprising the steps 

oi: 

bading an enccypted bitstream repivsenting iho derign into thfi PLD; 
decrypting the bitstream in Ote PLD to produce an unencrypted 
IS bitetreamr^oaenting the design; 

configuring the FtD wiUi the unencrypted faitetream; and 
disaUing the FLD from bebtg partially reconfigured. 

3. ThePLDof Oaim 2 wherein the stqp of disabling the PUD £rom being 
20 partially reconfigured also prevents part of a user's design ffom being 

rdocated to another port of the FLD» 
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